Re: Possible Hacking routine

James Moriartey (jmoriartey@glink2.com)
Sun, 13 Jul 1997 06:50:35 -0600

Here is the script I use to parse the termservers syslog file it is run =
off a different script that=20
copies the gz file to temp directory gunzips the termservers syslog file =
processes the file with
this script then emails the parsed log to the person responsible there =
are a couple of other=20
similar scripts I use to process the messages and daemon syslog files.
Because it runs a day behind it will not capture someone at the point of =
an attempted hack of !root
but it can be used to give a daily overview of what is happening=20
If anyone would like to use it you may have to tweak the location of the =
logfile, perl5=20
and the lines that are counted, also any line that is not counted is =
displayed at the top like=20
"admin login failed"=20

<-----------------------------------------------------cut here
#!/usr/bin/perl5
# Code hacked from unknown source by jmoriartey@glink2.com
# Free to use free to hack
# Name: Parse_Term.perl
# Desc: Parse The Termlog file modified by jmoriartey@glink2.com
$VERSION =3D 1.01;
print "\nParse TermServer Log Ver $VERSION \n";
print "---------------------------\n";

eval
{

$MESG_LOC =3D "/var/tmp/termlog.0";

open (MSG,"$MESG_LOC") || die "Can't Open $MESG_LOC";

while ($LINE=3D<MSG>) =20
{
if ($LINE =3D~ /\ssession\sdisconnected/) {$Dialindis++;}
elsif ($LINE =3D~ /\sPPP\ssucceeded/) {$Dialinsucces++;}
elsif ($LINE =3D~ /\sdialnet:/) {$Dialin++;}
elsif ($LINE =3D~ /\scommand/) {$Command++;} =20
elsif ($LINE =3D~ /\sadmin\slogin\ssucceeded/) {$User++;}
elsif ($LINE =3D~ /\scommand/) {$Command++;}
elsif ($LINE =3D~ /\s-\sLost\sCarrier/) {$Lost++;}=20
elsif ($LINE =3D~ /\s-\sIdle\sTimeout/) {$Idle++;} =20
elsif ($LINE =3D~ /\s-\sUser\sError/) {$Error++;}
elsif ($LINE =3D~ /\s-\sAdmin\sReset/) {$AdminReset++;}
elsif ($LINE =3D~ /\s-\sLogin\sTimeout/) {$Timeout++;}
elsif ($LINE =3D~ /\s-\sUser\sRequest\s-\sPPP\sTerm\sReq/) =
{$PPP++;}
elsif ($LINE =3D~ /\sPPP\sAuth\sFailed/) {$PPPFailed++;}=20
elsif ($LINE =3D~ /\sdeny:/) {$TCPdeny++;}
else {print "$LINE";}
$LINE_COUNT++;
}

print "---------------------------\n";
print "Connected:\t$Dialinsucces\n";
print "Disconnected:\t$Dialindis\n"; =
=20
print "Admin login:\t$User\n";
print "Commands:\t$Command\n"; =20
print "Lost Carrier:\t$Lost\n"; =20
print "Idle Time Out:\t$Idle\n"; =20
print "PPP Disconnect:\t$PPP\n";=20
print "Name & IP:\t$Dialin\n";
print "User Error:\t$Error\n"; =20
print "Admin Reset:\t$AdminReset\n";
print "Choice deny:\t$TCPdeny\n"; =20
print "PPP AuthFailed:\t$PPPFailed\n";
print "Login TimeOut:\t$Timeout\n";=20
$TCOUNT =3D $Dialinsucces + $Dialin + $User + $Command +$Lost + =
$Idle + $PPP + $Dialin +$Error + $AdminReset + $TCPdeny + $PPPFailed + =
$Timeout;
print "Visible Lines:\t$TCOUNT\n";
print "Line_Count:\t$LINE_COUNT\n\n";

};
chomp $@,print "Error is: $@" if ($@); # if eval dumps.